Cross platform social networking authentication system

ABSTRACT

Disclosed in one example is a method of authenticating with multiple social network services. The method may include storing first authentication information associated with a user for a first social networking service using at least one computer processor, receiving second authentication information associated with the user for a second social networking service from a social networking application, and sending to the social networking application the first authentication information. The first authentication information may enable the social networking application to utilize a protected application programming interface call for the first social networking service and the second authentication information may enable the social networking application to utilize a protected application programming interface call for the second social networking service.

CLAIM OF PRIORITY

This application is a continuation of U.S. patent application Ser. No.15/064,727, filed on Mar. 9, 2016, which is a continuation of U.S.patent application Ser. No. 13/077,411, filed on Mar. 31, 2011, whichclaims the benefit of priority to U.S. Provisional Patent ApplicationSer. No. 61/449,559, filed on Mar. 4, 2011, which applications areincorporated by reference herein in their entireties.

COPYRIGHT NOTICE

A portion of the disclosure of this patent document contains materialthat is subject to copyright protection. The copyright owner has noobjection to the facsimile reproduction by anyone of the patent documentor the patent disclosure, as it appears in the Patent and TrademarkOffice patent files or records, but otherwise reserves all copyrightrights whatsoever. The following notice applies to the software and dataas described below and in the drawings that form a part of thisdocument: Copyright Zynga, Inc., 2011. All Rights Reserved.

BACKGROUND

A social networking service is an online service, platform or site thatallows members to build or reflect social networks or social relationsamong members. Typically, members construct profiles, which may includepersonal information such as name, contact information, employmentinformation, photographs, personal messages, status information, linksto web related content, blogs, and so on. Typically, only a portion of amember's profile may be viewed by the general public, and/or othermembers.

The social networking site allows members to identify and establishlinks or connections with other members in order to build or reflectsocial networks or social relations among members. For instance, in thecontext of a business networking service, a person may establish a linkor connection with his or her business contacts, including workcolleagues, clients, customers, and so on. With a social networkingservice, a person may establish links or connections with his or herfriends and family. A connection is generally formed using an invitationprocess in which one member “invites” a second member to form a link.The second member then has the option of accepting or declining theinvitation. If the second member accepts the invitation, the first andsecond members are connected.

In general, a connection or link may represent or may be otherwiseassociated with an information access privilege, such that a firstperson who has established a connection with a second person is, via theestablishment of that connection, authorizing the second person to viewor access non-publicly available portions of their profiles. Of course,depending on the particular implementation of the business/socialnetworking service, the nature and type of the information that may beshared as well as the granularity with which the access privileges maybe defined to protect certain types of data can vary greatly.

A variety of different social networking services have gainedpopularity, include FACEBOOK® of Palo Alto, Calif., MYSPACE® of BeverlyHills, Calif. and run by News Corp., LINKEDIN® of Mountain View, Calif.,TWITTER® of San Francisco, Calif., and the like. These sites often allowfor third party applications to utilize certain functionality providedby the host social networking service. In some examples, these thirdparty applications may utilize certain user interface (UI) elements ofthe social networking service, access personal information about a userincluding profile information, and send and receive social interactions,such as messages, to the user of the third party application or to theirconnections. FACEBOOK®, for example allows developers to createapplications which are integrated into the FACEBOOK® user interface andwith the FACEBOOK® social networking system. In some examples, theseapplications may include games such as CITYVILLE®, FARMVILLE®, andMAFIAWARS®, all developed by ZYNGA®, Inc. of San Francisco Calif. Theseapplications appear in a FACEBOOK® page, and make use of variousfeatures of FACEBOOK®, such as contacting friends to encourage them tojoin the game and play with the user and the like.

The social networking services integrate with these applications byproviding to these applications an Application Programming Interface or“API.” In general, an Application Programming Interface (API) is aparticular set of rules and specifications that a software program mayfollow to access and make use of the services and resources provided byanother particular software program that implements that API. The APIserves as an interface between different software programs andfacilitates their interaction.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a schematic of an example system according to the presentdisclosure.

FIG. 2 shows a schematic of an example social networking applicationaccording to the present disclosure.

FIG. 3 shows a flowchart of a method of launching a social networkingapplication according to one example of the present disclosure.

FIG. 4 shows a flowchart of a method of authorizing and authenticating asocial networking application according to one example of the presentdisclosure.

FIG. 5 shows a flowchart of a method of sharing authentication andauthorization information with social networking applications accordingto one example of the present disclosure.

FIG. 6 shows a flowchart of a method of sharing authentication andauthorization information with social networking applications accordingto one example of the present disclosure.

FIG. 7 shows a schematic example of a machine implementation accordingto one example.

In the drawings, which are not necessarily drawn to scale, like numeralsmay describe similar components in different views. Like numerals havingdifferent letter suffixes may represent different instances of similarcomponents. The drawings illustrate generally, by way of example, butnot by way of limitation, various embodiments discussed in the presentdocument.

DETAILED DESCRIPTION

In some social networks, in order for an application to be associatedwith and access certain APIs of a social networking service certainauthentication and/or authorization steps must be performed. A socialnetworking application is associated with a social networking servicewhen the application has been authenticated with that social networkingservice in a way that allows the social networking application toutilize the API of that social networking service. Typically, API callsrequiring authentication return personal information such as a user'ssocial graph or information from the user's member profile or allow thesocial networking application to take action on behalf of the member. Asocial graph describes relationships between individuals online. Thus,for example, if two members of a social networking service are“connected,” both users' social graph will reflect this connection.Typically, these authentication and/or authorization steps can involveauthenticating the user, authenticating the social networkingapplication, and authorizing the social networking application to accessthe particular API call. In some examples, social networking servicescan utilize the OAuth open authentication methods including OAuthversions 1.0, 1.0 REVISION A, WRAP and 2.0. Information on OAuth can befound by referring to the Internet Engineering Task Force Request forComment 5849 and Internet-Draft IETF OAuth 2.0 Authorization Protocol v.2-12 (dated 1-20-2011), both of which are herein incorporated byreference in their entirety.

OAuth provides a method for social networking applications to accesscertain protected information stored by, and functionalities providedby, social networking services on behalf of a member of that socialnetworking service. One of the stated goals of OAuth is to allow themembers to grant access to social networking applications to informationand functionalities of social networking services on their behalfwithout disclosing to the social networking applications their usernameand password. The end result of the OAuth authentication process in someexamples is an access token which the social networking applications canuse to act on behalf of the member according to the permissions grantedby the member. A benefit of this process is that by using a token, theuser can change or revoke the permissions granted without changing thecredentials used to login to the social networking service.

An access token is a unique identifier issued by the social networkingservice and used by the social networking application to associateauthenticated requests with the member whose authorization is requestedor has been obtained by the social networking application. In someexamples, these access tokens have a matching shared-secret that is usedby the social networking application to establish its ownership of theaccess token and its authority to represent the member. In someexamples, the access token represents the establishment of a “session”between the social networking application and the social networkingserver. A session, also known as a communication session, is a permanentor semi-permanent interactive information exchange between communicatingdevices that is established at a certain point in time and torn down ata later point in time. The token, and subsequently the session, can havean expiry time at which point the session is closed by the socialnetworking service and the token expires such that any API call to thesocial networking service that utilizes the token will be rejected.

Once a social networking application is authenticated and authorized,the social networking application can access certain API calls(depending on the permissions granted by the user) of the socialnetworking service to which it has authenticated with and is associatedwith. In some examples, it may be beneficial for that application tohave access to user data on other social networks and to be able toexecute certain API calls on those other social networks. This allowsthe application to provide a richer experience for a user as it allowsfor aggregation of personal information and connections stored orassociated with multiple social networking services, as well asmessaging and other API functionality associated with other socialnetworking services.

Utilization of multiple disparate social networking service APIfunctionality involves overcoming several difficulties. First, socialnetworking services may not allow an application that is not currentlyexecuting within their framework to authenticate or authorize. Second,in some examples the application is displayed, or executed, in an IFRAMEHTML element of the host social networking service after it is retrievedfrom a server. An IFRAME, or inline frame, places another html documentin a frame of the current page. Thus, in some examples, the socialnetworking application is displayed as if it were embedded into thesocial networking service's own pages. In some examples, the socialnetworking application can include HTML, JavaScript, ASP, PHP, MySQL,Flash, JAVA, AJAX, Silverlight, or other interactive web content andlanguages. While running the application in an IFRAME is advantageousbecause it appears that the application is a native application of thesocial network, there are disadvantages as well. Namely, in some cases,a user's internet browser, or the social networking service itself,prohibits the social networking application from contacting, or knowingabout, any other URL except both the server from which the socialnetworking application was retrieved and the social networking serviceitself. These security features prevent the application from directlycontacting another social networking service to take advantage of theAPI functionality of that service. Finally, the multi-stageauthentication and authorization process may have to be repeated foreach social networking service (i.e. the user would likely have to loginmultiple times) which may be annoying to the user.

Disclosed is a system, a method, and a machine readable medium forauthenticating with one or more social networking services in which theauthorization and authentication information obtained by the socialnetworking application after authenticating and/or authorizing with asocial networking service is forwarded to a server, which maintains andstores that authentication information for that user. Thisauthentication information can remain valid after the user exits thesocial networking application. As a result, a new social networkingapplication can then make user of this stored authentication andauthorization information. If the new social networking application islaunched from the same social network as the storedauthorization/authentication information, then it can utilize thatinformation rather than having to reauthorize or reauthenticate. If thenew social networking application is launched from a different socialnetworking service than that of the stored authentication andauthorization information, then the new social networking applicationcan then make use of the social networking APIs and information for boththe social networking service from which it was launched and the socialnetworking service to which the previous authentication/authorizationinformation is associated.

FIG. 1 shows one example system 1000. Typically a user, such as user1080 will access and communicate with one or more social networkingservices 1010-1030, 1120 through network 1040. Social networkingservices 1010-1030, 1120 in some examples may include FACEBOOK®,MYSPACE®, LINKEDIN®, TWITTER®, and the like. In some examples, thiscommunication may be done through the user terminal 1050. User terminal1050 in some examples may include a personal computer, laptop computer,tablet computer, smart phone or other cellular telephone, electronicbook reader, or any other device that allows a user to access thefunctionality of the social networking service. In some examples, aninternet browser 1060 of the user terminal 1050 is used to access thesocial networking services 1010-1030 and 1120 using network 1040.Internet browser 1060 in some examples may include :Internet Explorer®from Microsoft Corp., Redmond, Wash. Network 1040 may be any method bywhich user terminal 1050 may communicate with one or more socialnetworking services 1010-1030. In some examples, network 1040 mayinclude the internet, a WAN, LAN, cellular network, or any other methodof allowing the user terminal 1050 to connect with the social networkingservice, and the like. While four social networking services are shownin FIG. 1 (1010-1030, 1120), it will be appreciated by those skilled inthe art that the system and methods of the current disclosure areapplicable to more or less than four social networks.

Typically, when a user 1080 accesses a social networking application(such as a game) the user 1080 selects the application via the socialnetworking service 1010-1030, 1120 which then re-directs the user todownload the application from another server. In some examples, thisserver may be located on a social networking application service 1090.The user's browser then displays or executes this application. In someexamples, this social networking application 1070 may be or includeHTML, JavaScript, Adobe Flash, Microsoft Silverlight, and the like. Thesocial network 1010-1030, 1120 from which the user selected the contentmay be called the host social network. The user's browser then executesor displays this social networking application 1070 until the user 1080decides to exit or the application closes or otherwise ends.

In some examples, while the application 1070 executes, it communicateswith the host social networking service to which it is associated.Example communications include authenticating, authorizing, utilizingthe user interface elements of the host social network, obtaining socialnetwork information about user 1080 such as connections with otherusers, sending messages to other users, and the like.

In some examples, social networking application 1070 may communicatewith social networking application service 1090. Social networkingapplication service 1090 may include various functions to assist socialnetworking application 1070. In some examples, social networkingapplication service 1090 may include application module 1100 whichstores and delivers to user terminals (including user terminal 1050)social networking application 1070 from storage 1130. In other examples,application module 1100 may contain execution logic for socialnetworking application 1070. Examples of this execution logic includeresponding to user actions and inputs; payment and purchasinginformation for purchasing the application or unlocking, accelerating,or making available various features in the application 1070; sendingmessages to and from various other users of the application; storingapplication data in data store 1130; providing various media files suchas graphics, video, and sound files; and the like. While socialnetworking application service is shown in FIG. 1 as one system, thecomponents and the functionality of social networking applicationservice 1090 could be distributed across multiple systems.

In some examples, social networking application service 1090 includes aserver authentication module 1110 which works with client authenticationmodule 2010 (FIG. 2) to authenticate/authorize social networkingapplication 1070 with one or more social networking services 1010-1030.This will be discussed in greater detail later.

In some examples, social networking application service 1090 includessocial networking service D 1120. Social networking service D 1120 isanother social networking service that is associated with the socialnetworking application service. In some examples social networkingservice D is run by social networking application service 1090 and thusis more tightly coupled to social networking application service 1090than social networking services 1010-1030. In some examples socialnetworking service D can provide a common framework for storing all theuser 1080's personal information that may be stored across socialnetworking services 1010-1030.

One example social networking application 1070 is shown in FIG. 2. Asocial networking application 1070 is any application which utilizes, oris capable of utilizing, the API of one or more social networkingservices. In some examples social networking application 1070 cancontain an input/output module 2020. Input/output module 2020communicates with the user 1080 through user terminal 1050. Input/outputmodule 2020 is responsible for causing the user interface of the socialnetworking application 1070 to be displayed and for handling userinputs.

Application logic module 2030 in some examples is responsible forimplementing the primary functions of the social networking application1070. For example, in the case of a game, the game logic and the gamerules are implemented by application logic module 2030. Applicationlogic module 2030 in some examples communicates with application module1100 using communication module 2040 to communicate changes inapplication state, user interactions, and to receive instructions forprocessing application events. In other examples, application logicmodule 2030 has all the logic necessary to process any application statechanges, user interactions and handling application events. In yet otherexamples application logic module 2030 has logic necessary for handlingsome application state changes, user interactions and application eventswhile the remaining functionality is handled by application module 1100.

Communication module 2040 communicates with social networking service1010-1030 and social networking application service 1090. In someexamples, this communication can include network communication acrossnetwork 1040. A variety of methods of communication can be used,including PHP, JavaScript, HTML, AJAX and the like.

Social networking application can include a client authentication module2010 for managing authentication with one or more social networkingservices 1010-1030, 1120. Client authentication module 2010 works withserver authentication module 1100 of social networking applicationservice 1090 to authenticate and authorize with one or more of socialnetworks 1010-1030, 1120. Client authentication module 2010 can containthe logic necessary to authenticate and authorize social networkingapplication 1070 with social networking services 1010-1030, 1120. Oncethe client authentication module 2010 authenticates and authorizes thesocial networking application 1070, client authentication module 2010receives and validates the authentication information returned from thesocial networking service. The client authentication module 2010 in someexamples can then pass this authentication information to serverauthentication module 1110 of social networking application service1090. The passed authentication information in some examples consists ofthe access token passed by the social networking service 1010-1030 aftera session is created due to successful authentication and authorization.In other examples, other information may be passed, including anypersonal information retrieved from the social networking service1010-1030 regarding the user 1080. In some examples, this authenticationinformation includes both authorization information and authenticationinformation. In general, the authentication information can include anyinformation necessary to allow a social networking application toutilize an application programming interface on a social networkingservice, and in some examples information necessary to identify the user1080.

Server authentication module 1110 of social networking applicationservice 1090 receives this authentication information from clientauthentication module 2010. Server authentication module 1110 thenstores this authentication information in data storage 1130. Serverauthentication module 1090 can then check data storage 1130 for anyother authentication information relating to that user in other socialnetworks 1010-1030, 1120 for the same or other applications. Theauthentication information in some cases can be related to a particularapplication available on multiple different social networks and in othercases can be application independent. Thus for example, FARMVILLE® mayauthenticate with a social networking service for user 1080 and thatauthentication information may later be used to authenticate that sameuser 1080 on the same social networking service for CITYVILLE®. In othercases, the authentication or application information may only be usedfor an instance of that same application (be it on the same or differentsocial networking service). For example, the FARMVILLE® derivedauthentication information may only be used for FARMVILLE® applicationsand the like. If any other social networks have valid authenticationinformation, server authentication module 1110 can then send thatauthentication information to client authentication module 2010 so thatsocial networking application 1070 can utilize the API of other socialnetworks.

In some examples, the authentication information can be shared with orsent to application module 1100 on social networking applicationservice. Application module 1100 can assist social networkingapplication 1070 in making certain API calls to certain socialnetworking services 1010-1030, 1120. In some examples this is to workaround certain browser or social networking service restrictions, but inother examples it can be utilized to increase social networkingapplication 1070's performance.

Server authentication module 1110 is responsible for determining thatuser 1080 has active sessions on social networking services other thanthe social networking service that is associated with the currentlyrunning social networking application 1070. Because different socialnetworks may have different user identification systems, in order toperform this association, server authentication module 1110 can use avariety of factors to associate the user 1080 of social networkingapplication 1070 with authentication and authorization informationpreviously stored in data storage 1130. Some factors include member id,name, social graphs (common friends), address, phone number, emailaddress, TWITTER® account, website links, bank accounts, credit cardinformation, and any other personal identifiable information. In yetother cases, the social networking application 1070 may prompt user 1080to identify any other user accounts on other social networking services.Once an association is found or determined, the server authenticationmodule 1110 can store this association of user 1080 to the varioussocial networking services for faster processing when looking upauthentication information in the future.

For example, if user 1080 is named “John Smith,” and his phone number is“555-555-5555,” and he is a member of social networking service A 1010with member id “1234” and social networking service B 1020 with memberid “5678”, upon launching a social networking application 1070associated with social networking service A 1010, social networkingapplication 1070 sends the authentication/authorization information forsocial networking service A 1010 to server authentication module 1110along with identifying information for user 1080. Server authenticationmodule 1110 has no record of any other sessions for user 1080 and doesnot pass back any sessions to social networking application 1070. Onceuser 1080 launches another social networking application on socialnetworking service B, that also communicates with social networkingapplication service 1090, the server authentication module 1110determines based on items such as name, phone number, etc . . . thatuser 1080 has member account “1234” on social networking service A 1010and “5678” on social networking service B 1020. The association is savedfor later use, and any previous session on social networking service A1010 is sent to the calling social networking application.

FIG. 3 shows one example method of the present disclosure. At 3010 auser logs onto one of the social networks 1010-1030, 1120. Usually, thisrequires the user to enter certain credentials. The credentials caninclude a username and a password, biometric data such as fingerprints,voice matching, PIN number, ID number, or the like. Once the user islogged in, in some examples, the social networking service stores aninternet cookie on user terminal 1050 with information signifying thatthe user is logged in. At step 3020 the user selects an application fromthe social network. In some examples the application may be a game,productivity application such as a word processor, a spreadsheet,messaging application, marketplace application, media application,dating application, and any other application that may be associatedwith, or access the API of one or more social networking services. Inother examples, the user may visit social networking application service1090, which then may prompt the user 1080 to login to one of the socialnetworking services 1010-1030, 1120 through the use of certainauthentication and authorization APIs provided by social networkingservices 1010-1030, 1120.

At step 3030, the user's browser is directed to fetch or download anapplication from an application module 1100 on a social networkingapplication service 1090 by the social networking service. In someexamples the application is displayed in an IFRAME HTML element. In step3040, the application executes on a user's computer or terminal 1050.

Turning now to FIG. 4, in some examples, the social networkingapplication client authentication module 2010 redirects internet browser1060 to an authorization and authentication dialog on the socialnetworking service. Social networking application 1070 passes anapplication id to social networking service. The application ididentifies the application and is given to social networking application1070 when social networking application 1070 registers with socialnetworking service. In one example, the social networking service checksto see if the user is already logged in by checking for the internetcookie stored on user terminal 1050. If the cookie is not present, thesocial networking service requires the user to login. The user logs inby providing the social networking service with their credentials.

In one example, once the user is logged in, the social networkingservice asks the user 1080 to grant certain permissions to the socialnetworking application 1070. These permissions are required to begranted by the user 1080 so that the social networking application canobtain personal information of the user and take actions on behalf ofthe user. Some example permissions include access to all or certainsections of a member profile page, access to information about a user'sactivities, birthday, education, hometown, relationships, religion orpolitics, status, videos, website, media, work information, email, listsof other members connected with a particular member, email messages,blog postings, news feed postings, chat applications, addressinformation, and phone number. Other example permissions includeallowing the application to post content and comments to the user's blogor news feed or stream, or to post such content and comments toindividuals who are connected with a particular user; creating events onbehalf of the user; R.S.V.P. to events on behalf of the user; send SMSor text messages on behalf of the user and the like. In some examples,permissions can be read only, read/write, read/write/delete and thelike. The user is given the option to grant or deny access. If the userdenies access, authentication stops and the social networkingapplication 1070 either terminates, or continues with reducedfunctionality. In other examples, before redirecting the user's browser1060 to the authorization and authentication dialog, social networkingapplication 1070 first obtains a request token from the socialnetworking service, and uses the request token along with theapplication id to request the authorization and authentication dialog onthe social networking service.

Once the user authorizes the application and authenticates with thesocial networking service, the social networking service passes back tothe social networking application an authorization code or verifier at4020. The social networking application can then send this code orverifier along with the application id, and in examples in which therequest token is obtained, the request token, to the social networkingservice and can receive in return authentication information at 4030.The authentication information in some examples can be an access tokenwhich is passed to the social networking service as part of the API callto establish the social networking application's authority to utilizethe API call. This access token can correspond to a “session,” betweenthe social networking application 1070 and the social networkingservice. This authentication information can then be used to accesscertain protected API's of the social networking service according tothe permissions granted by user 1080.

In some examples, the communications between the social networkingapplication and the social networking services are encrypted. In someexamples, the communications are exchanged using HTTPS (HypertextTransfer Protocol Secure), clear text but signed with a secret key thatthe application and the social networking service have previouslydetermined, or any other encryption mechanisms can be used to preventeavesdropping.

Social networking application client authentication module 2010 canvalidate the authentication information at 4040. In some examples, thevalidation ensures that the access token has not expired and iscorrectly formed. The authentication information can then be passed tothe social network application service server authentication module 1110at 4050 in order to store the authentication information and to signalsocial networking application service server authentication module 1110to send to the social networking application client authenticationmodule 2010 the authentication information of other social networks inorder to allow API calls to other social networks. In some examples, thesocial networking application service can also send additionalinformation in order to assist server authentication module 1110 inidentifying the user 1080. This information can be gathered by socialnetworking application 1070 by utilizing certain API calls of the socialnetworking service to which it is authenticated and authorized.

Turning now to FIG. 5, after receiving the authentication information,the social networking application service server authentication module1110 validates the authentication information and stores it in step5010. The validation in some examples is the same or similar to thevalidation procedures executed on the client authentication module 2010of the social networking application 1070.

At 5020, social networking applications service in some examplesestablishes a session for user 1080 with social networking service D1120 if one doesn't already exist based upon the authenticationinformation and user information sent by social networking application1070. Authentication information for the user 1080 sent back to clientauthentication module 2010 can include the authentication informationfor social networking service D. In some examples, social networkingservice D 1120 can be the server authentication module 1110.

In step 5030, the social networking application service serverauthentication module 1110 searches the data store 1130 for any othervalid authentication information relating to other social networkingservices 1010-1030 and social networking service D 1120 for user 1080.If anything is found, the authentication information can be validated tomake sure it is not expired.

At 5040, the social networking application service server authenticationmodule 1110 returns to the social networking application clientauthentication module 2010 any valid authentication information forother social networking services, including in some examples, socialnetworking service D 1120, that was found in step 5030.

Once this information is sent to social networking application 1070, thesocial networking application 1070 can load the appropriate code tohandle the various social networking APIs for the social networks forwhich valid authentication information is associated. At 6020, thesocial networking application 1070 can then utilize the functions, APIs,and user data of other social networks by utilizing the authenticationinformation.

In some examples, the social networking application 1070 can queryserver authentication module 1110 for authentication information priorto authenticating with the host social networking service. The serverauthentication module 1110 may already have authentication informationfor user 1080 which can be sent to social networking application 1070.This can remove the need to reauthenticate or reauthorize, saving timeand resources. In some examples, if the access token has expired, it maybe possible to obtain a new access token simply by sending theapplication id or other identification along with the expired accesstoken to the social networking service 1010-1030. The social networkingservice can then send back a fresh access token.

Other Notes and Examples

Disclosed in one example is a method of authenticating with multiplesocial network services. The method may include storing firstauthentication information associated with a user for a first socialnetworking service using at least one computer processor, receivingsecond authentication information associated with the user for a secondsocial networking service from a social networking application, andsending to the social networking application the first authenticationinformation. The first authentication information may enable the socialnetworking application to utilize a protected application programminginterface call for the first social networking service and the secondauthentication information may enable the social networking applicationto utilize a protected application programming interface call for thesecond social networking service.

Disclosed in another example is a system for authenticating withmultiple social networks. The system may include a storage moduleconfigured to store first authentication information associated with auser for a first social networking service using at least one computerprocessor, an authentication module configured to receive secondauthentication information associated with the user for a second socialnetworking service from a social networking application and send to thesocial networking application the first authentication information. Thefirst authentication information may enable the social networkingapplication to utilize a protected application programming interfacecall for the first social networking service and the secondauthentication information may enable the social networking applicationto utilize a protected application programming interface call for thesecond social networking service.

Disclosed in another example is a method of communicating with multiplesocial networks. The method may include receiving at a social networkingapplication first authentication information for a user from a firstsocial networking service, sending the first authentication informationto an authorization server, receiving from the authorization serversecond authentication information for a second social network for theuser, and accessing an application programming interface of both thefirst and second social networking services using both the first andsecond authentication information.

Disclosed in another example is a machine readable storage medium thatstores instructions, which when performed by a machine, causes themachine to perform operations. The operations may include storing firstauthentication information associated with a user for a first socialnetworking service using at least one computer processor, receivingsecond authentication information associated with the user for a secondsocial networking service from a social networking application, andsending to the social networking application the first authenticationinformation. The first authentication information may enable the socialnetworking application to utilize a protected application programminginterface call for the first social networking service and the secondauthentication information may enable the social networking applicationto utilize a protected application programming interface call for thesecond social networking service.

Disclosed in yet another example is a machine readable storage mediumthat stores instructions, which when performed by a machine, causes themachine to perform operations. The operations may include receiving at asocial networking application first authentication information for auser from a first social networking service, sending the firstauthentication information to an authorization server, receiving fromthe authorization server second authentication information for a secondsocial network for the user, and accessing an application programminginterface of both the first and second social networking services usingboth the first and second authentication information.

These examples can be combined in any permutation or combination. Thisnon-limiting summary is intended to provide an overview of subjectmatter of the present patent application. It is not intended to providean exclusive or exhaustive explanation of the invention. The detaileddescription is included to provide further information about the presentpatent application.

Modules, Components and Logic

Certain embodiments are described herein as including logic or a numberof components, modules, or mechanisms. Modules may constitute eithersoftware modules (e.g., code embodied (1) on a non-transitorymachine-readable medium or (2) in a transmission signal) orhardware-implemented modules. A hardware-implemented module is tangibleunit capable of performing certain operations and may be configured orarranged in a certain manner. In example embodiments, one or morecomputer systems (e.g., a standalone, client or server computer system)or one or more processors may be configured by software (e.g., anapplication or application portion) as a hardware-implemented modulethat operates to perform certain operations as described herein.

In various embodiments, a hardware-implemented module may be implementedmechanically or electronically. For example, a hardware-implementedmodule may comprise dedicated circuitry or logic that is permanentlyconfigured (e.g., as a special-purpose processor, such as a fieldprogrammable gate array (FPGA) or an application-specific integratedcircuit (ASIC)) to perform certain operations. A hardware-implementedmodule may also comprise programmable logic or circuitry (e.g., asencompassed within a general-purpose processor or other programmableprocessor) that is temporarily configured by software to perform certainoperations. It will be appreciated that the decision to implement ahardware-implemented module mechanically, in dedicated and permanentlyconfigured circuitry, or in temporarily configured circuitry (e.g.,configured by software) be driven by cost and time considerations.

Accordingly, the term “hardware-implemented module” should be understoodto encompass a tangible entity, be that an entity that is physicallyconstructed, permanently configured (e.g., hardwired) or temporarily ortransitorily configured (e.g., programmed) to operate in a certainmanner and/or to perform certain operations described herein.Considering embodiments in which hardware-implemented modules aretemporarily configured (e.g., programmed), each of thehardware-implemented modules need not be configured or instantiated atany one instance in time. For example, where the hardware-implementedmodules comprise a general-purpose processor configured using software,the general-purpose processor may be configured as respective differenthardware-implemented modules at different times. Software mayaccordingly configure a processor, for example, to constitute aparticular hardware-implemented module at one instance of time and toconstitute a different hardware-implemented module at a differentinstance of time.

Hardware-implemented modules may provide information to, and receiveinformation from, other hardware-implemented modules. Accordingly, thedescribed hardware-implemented modules may be regarded as beingcommunicatively coupled. Where multiple of such hardware-implementedmodules exist contemporaneously, communications may be achieved throughsignal transmission (e.g., over appropriate circuits and buses) thatconnect the hardware-implemented modules. In embodiments in whichmultiple hardware-implemented modules are configured or instantiated atdifferent times, communications between such hardware-implementedmodules may be achieved, for example, through the storage and retrievalof information in memory structures to which the multiplehardware-implemented modules have access. For example, onehardware-implemented module may perform an operation, and store theoutput of that operation in a memory device to which it iscommunicatively coupled. A further hardware-implemented module may then,at a later time, access the memory device to retrieve and process thestored output. Hardware-implemented modules may also initiatecommunications with input or output devices, and may operate on aresource (e.g., a collection of information).

The various operations of example methods described herein may beperformed, at least partially, by one or more processors that aretemporarily configured (e.g., by software) or permanently configured toperform the relevant operations. Whether temporarily or permanentlyconfigured, such processors may constitute processor-implemented modulesthat operate to perform one or more operations or functions. The modulesreferred to herein may, in some example embodiments, compriseprocessor-implemented modules.

Similarly, the methods described herein may be at least partiallyprocessor-implemented. For example, at least some of the operations of amethod may be performed by one or processors or processor-implementedmodules. The performance of certain of the operations may be distributedamong the one or more processors, not only residing within a singlemachine, but deployed across a number of machines. In some exampleembodiments, the processor or processors may be located in a singlelocation (e.g., within a home environment, an office environment or as aserver farm), while in other embodiments the processors may bedistributed across a number of locations.

The one or more processors may also operate to support performance ofthe relevant operations in a “cloud computing” environment or as a“software as a service” (SaaS). For example, at least some of theoperations may be performed by a group of computers (as examples ofmachines including processors), these operations being accessible via anetwork (e.g., the Internet) and via one or more appropriate interfaces(e.g., Application Program Interfaces (APIs).)

Electronic Apparatus and System

Example embodiments may be implemented in digital electronic circuitry,or in computer hardware, firmware, software, or in combinations of them.Example embodiments may be implemented using a computer program product,e.g., a computer program tangibly embodied in an information carrier,e.g., in a machine-readable medium for execution by, or to control theoperation of, data processing apparatus, e.g., a programmable processor,a computer, or multiple computers.

A computer program may be written in any form of programming language,including compiled or interpreted languages, and it may be deployed inany form, including as a stand-alone program or as a module, subroutine,or other unit suitable for use in a computing environment. A computerprogram may be deployed to be executed on one computer or on multiplecomputers at one site or distributed across multiple sites andinterconnected by a communication network.

In example embodiments, operations may be performed by one or moreprogrammable processors executing a computer program to performfunctions by operating on input data and generating output. Methodoperations may also be performed by, and apparatus of exampleembodiments may be implemented as, special purpose logic circuitry,e.g., a field programmable gate array (FPGA) or an application-specificintegrated circuit (ASIC).

The computing system may include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other. Inembodiments deploying a programmable computing system, it will beappreciated that that both hardware and software architectures requireconsideration. Specifically, it will be appreciated that the choice ofwhether to implement certain functionality in permanently configuredhardware (e.g., an ASIC), in temporarily configured hardware (e.g., acombination of software and a programmable processor), or a combinationof permanently and temporarily configured hardware may be a designchoice. Below are set out hardware (e.g., machine) and softwarearchitectures that may be deployed, in various example embodiments.

Example Machine Implementation

FIG. 7 shows a diagrammatic representation of a machine in the exampleform of a computer system 7000 within which a set of instructions forcausing the machine to perform any one or more of the methods,processes, operations, or methodologies discussed herein may beexecuted. In alternative embodiments, the machine operates as astandalone device or may be connected (e.g., networked) to othermachines. In a networked deployment, the machine may operate in thecapacity of a server or a client machine in server-client networkenvironment, or as a peer machine in a peer-to-peer (or distributed)network environment. The machine may be a Personal Computer (PC), atablet PC, a Set-Top Box (STB), a Personal Digital Assistant (PDA), acellular telephone, a Web appliance, a network router, switch or bridge,or any machine capable of executing a set of instructions (sequential orotherwise) that specify actions to be taken by that machine. Further,while only a single machine is illustrated, the term “machine” shallalso be taken to include any collection of machines that individually orjointly execute a set (or multiple sets) of instructions to perform anyone or more of the methodologies discussed herein. Example embodimentscan also be practiced in distributed system environments where local andremote computer systems which that are linked (e.g., either byhardwired, wireless, or a combination of hardwired and wirelessconnections) through a network, both perform tasks. In a distributedsystem environment, program modules may be located in both local andremote memory-storage devices (see below).

The example computer system 7000 includes a processor 7002 (e.g., aCentral Processing Unit (CPU), a Graphics Processing Unit (GPU) orboth), a main memory 7001 and a static memory 7006, which communicatewith each other via a bus 7008. The computer system 7000 may furtherinclude a video display unit 7010 (e.g., a Liquid Crystal Display (LCD)or a Cathode Ray Tube (CRT)). The computer system 7000 also includes analphanumeric input device 7012 (e.g., a keyboard), a User Interface (UI)cursor controller 7014 (e.g., a mouse), a disk drive unit 7016, a signalgeneration device 7018 (e.g., a speaker) and a network interface device7020 (e.g., a transmitter).

The disk drive unit 7016 includes a machine-readable medium 7022 onwhich is stored one or more sets of instructions 7024 and datastructures (e.g., software) embodying or used by any one or more of themethodologies or functions illustrated herein. The software may alsoreside, completely or at least partially, within the main memory 7001and/or within the processor 7002 during execution thereof by thecomputer system 7000, the main memory 7001 and the processor 7002 alsoconstituting machine-readable media.

The instructions 7024 may further be transmitted or received over anetwork 7026 via the network interface device 7020 using any one of anumber of well-known transfer protocols (e.g., HTTP, Session InitiationProtocol (SIP)).

The term “machine-readable medium” should be taken to include a singlemedium or multiple media (e.g., a centralized or distributed database,and/or associated caches and servers) that store the one or more sets ofinstructions. The term “machine-readable medium” shall also be taken toinclude any medium that is capable of storing, encoding, or carrying aset of instructions for execution by the machine and that cause themachine to perform any of the one or more of the methodologiesillustrated herein. The term “machine-readable medium” shall accordinglybe taken to include, but not be limited to, solid-state memories, andoptical and magnetic medium.

Method embodiments illustrated herein may be computer-implemented. Someembodiments may include computer-readable media encoded with a computerprogram (e.g., software), which includes instructions operable to causean electronic device to perform methods of various embodiments. Asoftware implementation (or computer-implemented method) may includemicrocode, assembly language code, or a higher-level language code,which further may include computer readable instructions for performingvarious methods. The code may form portions of computer programproducts. Further, the code may be tangibly stored on one or morevolatile or non-volatile computer-readable media during execution or atother times. These computer-readable media may include, but are notlimited to, hard disks, removable magnetic disks, removable opticaldisks (e.g., compact disks and digital video disks), magnetic cassettes,memory cards or sticks, Random Access Memories (RAMs), Read OnlyMemories (ROMs), and the like.

Additional Notes

The above detailed description includes references to the accompanyingdrawings, which form a part of the detailed description. The drawingsshow, by way of illustration, specific embodiments in which theinvention can be practiced. These embodiments are also referred toherein as “examples.” Such examples can include elements in addition tothose shown or described. However, the present inventors alsocontemplate examples in which only those elements shown or described areprovided. Moreover, the present inventors also contemplate examplesusing any combination or permutation of those elements shown ordescribed (or one or more aspects thereof), either with respect to aparticular example (or one or more aspects thereof), or with respect toother examples (or one or more aspects thereof) shown or describedherein.

All publications, patents, and patent documents referred to in thisdocument are incorporated by reference herein in their entirety, asthough individually incorporated by reference. In the event ofinconsistent usages between this document and those documents soincorporated by reference, the usage in the incorporated reference(s)should be considered supplementary to that of this document; forirreconcilable inconsistencies, the usage in this document controls.

In this document, the terms “a” or “an” are used, as is common in patentdocuments, to include one or more than one, independent of any otherinstances or usages of “at least one” or “one or more.” in thisdocument, the term “or” is used to refer to a nonexclusive or, such that“A or B” includes “A but not B,” “B but not A,” and “A and B,” unlessotherwise indicated. In this document, the terms “including” and “inwhich” are used as the plain-English equivalents of the respective terms“comprising” and “wherein.” Also, in the following claims, the terms“including” and “comprising” are open-ended, that is, a system, device,article, or process that includes elements in addition to those listedafter such a term in a claim are still deemed to fall within the scopeof that claim. Moreover, in the following claims, the terms “first,”“second,” and “third,” etc. are used merely as labels, and are notintended to impose numerical requirements on their objects.

The above description is intended to be illustrative, and notrestrictive. For example, the above-described examples (or one or moreaspects thereof) may be used in combination with each other. Otherembodiments can be used, such as by one of ordinary skill in the artupon reviewing the above description. The Abstract is provided to complywith 37 CFR. §1.72(b), to allow the reader to quickly ascertain thenature of the technical disclosure. It is submitted with theunderstanding that it will not be used to interpret or limit the scopeor meaning of the claims. Also, in the above Detailed Description,various features may be grouped together to streamline the disclosure.This should not be interpreted as intending that an unclaimed disclosedfeature is essential to any claim. Rather, inventive subject matter maylie in less than all features of a particular disclosed embodiment.Thus, the following claims are hereby incorporated into the DetailedDescription, with each claim standing on its own as a separateembodiment, and it is contemplated that such embodiments can be combinedwith each other in various combinations or permutations. The scope ofthe invention should be determined with reference to the appendedclaims, along with the full scope of equivalents to which such claimsare entitled.

1-20. (canceled)
 21. A method of authenticating an application with anetwork-based content service, the method comprising: at an applicationserver: receiving, over a network, an authentication token from theapplication, the application previously obtaining the authenticationtoken over the network from the network-based content service aftercompleting an authenticating process with the network-based contentservice; storing the authentication token in a database of theapplication server; after receiving the authentication token, receiving,over the network, a request from the application for the authenticationtoken for the network-based content service; obtaining theauthentication token from the database; sending, over the network, theauthentication token to the application, the application using the tokento re-authenticate with the network-based content service.
 22. Themethod of claim 21, wherein the application server sends the applicationover the network to a computing device of the user.
 23. The method ofclaim 21, wherein the authentication token has expired, and wherein themethod further comprises renewing of the authentication token by theapplication.
 24. The method of claim 21, comprising: receiving, over anetwork, a second authentication token from a second application, thesecond application obtaining the authentication token over the networkfrom a second network-based application service after completing anauthentication process with the second network-based applicationservice; and determining that both the first and second authenticationtokens correspond to a same user, and storing a correlation of the firstand second authentication token in the database of the applicationservice.
 25. The method of claim 21, comprising: sending a request forinformation on a user of the application, using the authenticationtoken, to the network-based content service; receiving from thenetwork-based content service, the information on the user; and sending,over the network, the information on the user to a second applicationexecuting within a framework of a second network-based content service.26. The method of claim 21, further comprising: prior to receiving, overthe network, the authentication token: receiving a request for theauthentication token from the application; determining that theauthentication token for the network-based content service has not beenreceived for the application; sending a response indicating that theapplication server does not have the authentication token; and whereinthe application authenticates with the network-based content service inresponse to the response indicating that the application server does nothave the authentication token.
 27. The method of claim 21, wherein theapplication is a social networking application and wherein thenetwork-based content service is a social networking service.
 28. Themethod of claim 27, wherein the social networking application is a game.29. A system for authenticating an application with a network-basedcontent service, the system comprising: an application servercomprising: a processor; and a memory, the memory storing instructions,which when executed by the processor, cause the processor to performoperations comprising: receiving, over a network, an authenticationtoken from the application, the application previously obtaining theauthentication token over the network from the network-based contentservice after completing an authenticating process with thenetwork-based content service; storing the authentication token in adatabase of the application server; after receiving the authenticationtoken, receiving, over the network, a request from the application forthe authentication token for the network-based content service;obtaining the authentication token from the database; sending, over thenetwork, the authentication token to the application, the applicationusing the token to re-authenticate with the network-based contentservice.
 30. The system of claim 29, wherein the operations comprisesending the application over the network to a computing device of theuser.
 31. The system of claim 29, wherein the authentication token hasexpired, and wherein the authentication token is renewed by theapplication.
 32. The system of claim 29, wherein the operations furthercomprise: receiving, over a network, a second authentication token froma second application, the second application obtaining theauthentication token over the network from a second network-basedapplication service after completing an authentication process with thesecond network-based application service; and determining that both thefirst and second authentication tokens correspond to a same user, andstoring a correlation of the first and second authentication token inthe database of the application service.
 33. The system of claim 29,wherein the operations further comprise: sending a request forinformation on a user of the application, using the authenticationtoken, to the network-based content service; receiving from thenetwork-based content service, the information on the user; and sending,over the network, the information on the user to a second applicationexecuting within a framework of a second network-based content service.34. The system of claim 29, wherein the operations further comprise:prior to receiving, over the network, the authentication token:receiving a request for the authentication token from the application;determining that the authentication token for the network-based contentservice has not been received for the application; sending a responseindicating that the application server does not have the authenticationtoken; and wherein the application authenticates with the network-basedcontent service in response to the response indicating that theapplication server does not have the authentication token.
 35. Anon-transitory machine readable medium storing instructions, which whenexecuted by a machine, causes the machine to perform operationscomprising: receiving, over a network, an authentication token from anapplication, the application previously obtaining the authenticationtoken over a network from the network-based content service aftercompleting an authenticating process with the network-based contentservice; storing the authentication token in a database; after receivingthe authentication token, receiving, over the network, a request fromthe application for the authentication token for the network-basedcontent service; obtaining the authentication token from the database;sending, over the network, the authentication token to the application,the application using the token to re-authenticate with thenetwork-based content service.
 36. The machine-readable medium of claim35, wherein the operations comprise sending the application over thenetwork to a computing device of the user.
 37. The machine-readablemedium of claim 35, wherein the authentication token as expired, andwherein the authentication token is renewed by the application.
 38. Themachine-readable medium of claim 35, wherein the operations furthercomprise: receiving, over a network, a second authentication token froma second application, the second application obtaining theauthentication token over the network from a second network-basedapplication service after completing an authentication process with thesecond network-based application service; and determining that both thefirst and second authentication tokens correspond to a same user, andstoring a correlation of the first and second authentication token inthe database of the application service.
 39. The machine-readable mediumof claim 35, wherein the operations further comprise: sending a requestfor information on a user of the application, using the authenticationtoken, to the network-based content service; receiving from thenetwork-based content service, the information on the user; and sending,over the network, the information on the user to a second applicationexecuting within a framework of a second network-based content service.40. The machine-readable medium of claim 35, wherein the operationsfurther comprise: prior to receiving, over the network, theauthentication token: receiving a request for the authentication tokenfrom the application; determining that the authentication token for thenetwork-based content service has not been received for the application;sending a response indicating that the authentication token is notavailable; and wherein the application authenticates with thenetwork-based content service in response to the response indicatingthat the authentication token is not available.